Tag: Security

Today, Microsoft is announcing that we have entered into an agreement to acquire Miburo, a cyber threat analysis and research company specializing in the detection of and response to foreign information operations.

Microsoft detects and helps customers defend against cyber threats from nation-states as part of our commitment to keep customers safe online. These efforts are underpinned by the threat intelligence we gather, publish, and use to fuel disruptions of malicious nation-state activity across a range of cyber-attack vectors.

Miburo, led by founder Clint Watts, will become part of the Customer Security and Trust organization. Working in close collaboration with the Microsoft Threat Intelligence Center, our Threat Context Analysis team, our data scientists and others, the new analysts from Miburo will enable Microsoft to expand its threat detection and analysis capabilities to address new cyber-attacks and shed light on the ways in which foreign actors use information operations in conjunction with other cyber-attacks to achieve their objectives. Miburo has become a leading expert in identification of foreign information operations. Miburo’s research teams detect and attribute malign and extremist influence campaigns across 16 languages.

With the acquisition of Miburo, we will continue our mission to take action, and to partner with others in the public and private sectors to find long-term solutions that will stop foreign adversaries from threatening public and private sector customers and, in fact, the very foundations of our democracy.

Tags: cybersecurity, Miburo, Microsoft Threat Intelligence Center, Online Safety

The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid.

First observed in November 2021, BlackCat initially made headlines because it was one of the first ransomware families written in the Rust programming language. By using a modern language for its payload, this ransomware attempts to evade detection, especially by conventional security solutions that might still be catching up in their ability to analyze and parse binaries written in such language. BlackCat can also target multiple devices and operating systems. Microsoft has observed successful attacks against Windows and Linux devices and VMWare instances.

As we previously explained, the RaaS affiliate model consists of multiple players: access brokers, who compromise networks and maintain persistence; RaaS operators, who develop tools; and RaaS affiliates, who perform other activities like moving laterally across the network and exfiltrating data before ultimately launching the ransomware payload. Thus, as a RaaS payload, how BlackCat enters a target organization’s network varies, depending on the RaaS affiliate that deploys it. For example, while the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access. In addition, at least two known affiliates are now adopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).

Such variations and adoptions markedly increase an organization’s risk of encountering BlackCat and pose challenges in detecting and defending against it because these actors and groups have different tactics, techniques, and procedures (TTPs). Thus, no two BlackCat “lives” or deployments might look the same. Indeed, based on Microsoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the Americas, Asia, and Europe.

Human-operated ransomware attacks like those that deploy BlackCat continue to evolve and remain one of the attackers’ preferred methods to monetize their attacks. Organizations should consider complementing their security best practices and policies with a comprehensive solution like Microsoft 365 Defender, which offers protection capabilities that correlate various threat signals to detect and block such attacks and their follow-on activities.

In this blog, we provide details about the ransomware’s techniques and capabilities. We also take a deep dive into two incidents we’ve observed where BlackCat was deployed, as well as additional information about the threat activity groups that now deliver it. Finally, we offer best practices and recommendations to help defenders protect their organizations against this threat, including hunting queries and product-specific mitigations.

BlackCat’s anatomy: Payload capabilities

As mentioned earlier, BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats.

BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered.

In the instances we’ve observed where the BlackCat payload did not have administrator privileges, the payload was launched via dllhost.exe, which then launched the following commands below (Table 1) via cmd.exe. These commands could vary, as the BlackCat payload allows affiliates to customize execution to the environment.

The flags used by the attackers and the options available were the following: -s -d -f -c; –access-token; –propagated; -no-prop-servers

Command	Description
[service name] /stop	Stops running services to allow encryption of data
vssadmin.exe Delete Shadows /all /quiet	Deletes backups to prevent recovery
wmic.exe Shadowcopy Delete	Deletes shadow copies
wmic csproduct get UUID	Gets the Universally Unique Identifier (UUID) of the target device
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f	Modifies the registry to change MaxMpxCt settings; BlackCat does this to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology)
for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\”	Clears event logs
fsutil behavior set SymlinkEvaluation R2L:1	Allows remote-to-local symbolic links; a symbolic link is a file-system object (for example, a file or folder) that points to another file system object, like a shortcut in many ways but more powerful
fsutil behavior set SymlinkEvaluation R2R:1	Allows remote-to-remote symbolic links
net use \\[computer name]  /user:[domain]\[user] [password] /persistent:no	Mounts network share

User account control (UAC) bypass

BlackCat can bypass UAC, which means the payload will successfully run even if it runs from a non-administrator context. If the ransomware isn’t run with administrative privileges, it runs a secondary process under dllhost.exe with sufficient permissions needed to encrypt the maximum number of files on the system.

Domain and device enumeration

The ransomware can determine the computer name of the given system, local drives on a device, and the AD domain name and username on a device. The malware can also identify whether a user has domain admin privileges, thus increasing its capability of ransoming more devices.

Self-propagation

BlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices. The ransomware then attempts to replicate itself on the answering servers using the credentials specified within the config via PsExec.

Hampering recovery efforts

BlackCat has numerous methods to make recovery efforts more difficult. The following are commands that might be launched by the payload, as well as their purposes:

• Modify boot loader
  • “C:\Windows\system32\cmd.exe” /c “bcdedit /set {default}”
  • “C:\Windows\system32\cmd.exe” /c “bcdedit /set {default} recoveryenabled No”
• Delete volume shadow copies
  • “C:\Windows\system32\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet”
  • “C:\Windows\system32\cmd.exe” /c “wmic.exe Shadowcopy Delete”
• Clear Windows event logs
  • “C:\Windows\system32\cmd.exe” /c “cmd.exe /c  for /F \”tokens=*\” Incorrect function. in (‘ wevtutil.exe el ‘) DO wevtutil.exe cl \”Incorrect function. \””

Slinking its way in: Identifying attacks that can lead to BlackCat ransomware

Consistent with the RaaS model, threat actors utilize BlackCat as an additional payload to their ongoing campaigns. While their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack. Therefore, the pre-ransom steps of these attacks can also be markedly different.

For example, our research noted that one affiliate that deployed BlackCat leveraged unpatched Exchange servers or used stolen credentials to access target networks. The following sections detail the end-to-end attack chains of these two incidents we’ve observed.

Case study 1: Entry via unpatched Exchange

In one incident we’ve observed, attackers took advantage of an unpatched Exchange server to enter the target organization.

Discovery

Upon exploiting the Exchange vulnerability, the attackers launched the following discovery commands to gather information about the device they had compromised:

• cmd.exe and the commands ver and systeminfo – to collect operating system information
• net.exe – to determine domain computers, domain controllers, and domain admins in the environment

After executing these commands, the attackers navigated through directories and discovered a passwords folder that granted them access to account credentials they could use in the subsequent stages of the attack. They also used the del command to delete files related to their initial compromise activity.

The attackers then mounted a network share using net use and the stolen credentials and began looking for potential lateral movement targets using a combination of methods. First, they used WMIC.exe using the previously gathered device name as the node, launched the command whoami /all, and pinged google.com to check network connectivity. The output of the results were then written to a .log file on the mounted share. Second, the attackers used PowerShell.exe with the cmdlet Get-ADComputer and a filter to gather the last sign-in event.

Lateral movement

Two and a half days later, the attackers signed into one of the target devices they found during their initial discovery efforts using compromised credentials via interactive sign-in. They opted for a credential theft technique that didn’t require dropping a file like Mimikatz that antivirus products might detect. Instead, they opened Taskmgr.exe, created a dump file of the LSASS.exe process, and saved the file to a ZIP archive.

The attackers continued their previous discovery efforts using a PowerShell script version of ADRecon (ADRecon.ps1), which is a tool designed to gather extensive information about an Active Directory (AD) environment. The attacker followed up this action with a net scanning tool that opened connections to devices in the organization on server message block (SMB) and remote desktop protocol (RDP). For discovered devices, the attackers attempted to navigate to various network shares and used the Remote Desktop client (mstsc.exe) to sign into these devices, once again using the compromised account credentials.

These behaviors continued for days, with the attackers signing into numerous devices throughout the organization, dumping credentials, and determining what devices they could access.

Collection and exfiltration

On many of the devices the attackers signed into, efforts were made to collect and exfiltrate extensive amounts of data from the organization, including domain settings and information and intellectual property. To do this, the attackers used both MEGAsync and Rclone, which were renamed as legitimate Windows process names (for example, winlogon.exe, mstsc.exe).

Exfiltration of domain information to identify targets for lateral movement

Collecting domain information allowed the attackers to progress further in their attack because the said information could identify potential targets for lateral movement or those that would help the attackers distribute their ransomware payload. To do this, the attackers once again used ADRecon.ps1with numerous PowerShell cmdlets such as the following:

• Get-ADRGPO – gets group policy objects (GPO) in a domain
• Get-ADRDNSZone – gets all DNS zones and records in a domain
• Get-ADRGPLink – gets all group policy links applied to a scope of management in a domain

Additionally, the attackers dropped and used ADFind.exe commands to gather information on persons, computers, organizational units, and trust information, as well as pinged dozens of devices to check connectivity.

Exfiltration for double extortion

Intellectual property theft likely allowed the attackers to threaten the release of information if the subsequent ransom wasn’t paid—a practice known as “double extortion.” To steal intellectual property, the attackers targeted and collected data from SQL databases. They also navigated through directories and project folders, among others, of each device they could access, then exfiltrated the data they found in those. 

The exfiltration occurred for multiple days on multiple devices, which allowed the attackers to gather large volumes of information that they could then use for double extortion.

Encryption and ransom

It was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment, thus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of access an attacker gained from their activity. Distribution of the ransomware payload using PsExec.exe proved to be the most common attack method.

Case study 2: Entry via compromised credentials

In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in.

Lateral movement

Once the attackers gained access to the target environment, they then used SMB to copy over and launch the Total Deployment Software administrative tool, allowing remote automated software deployment. Once this tool was installed, the attackers used it to install ScreenConnect (now known as ConnectWise), a remote desktop software application.

Credential theft

ScreenConnect was used to establish a remote session on the device, allowing attackers interactive control. With the device in their control, the attackers used cmd.exe to update the Registry to allow cleartext authentication via WDigest, and thus saved the attackers time by not having to crack password hashes. Shortly later, they used the Task Manager to dump the LSASS.exe process to steal the password, now in cleartext.

Eight hours later, the attackers reconnected to the device and stole credentials again. This time, however, they dropped and launched Mimikatz for the credential theft routine, likely because it can grab credentials beyond those stored in LSASS.exe. The attackers then signed out.

Persistence and encryption

A day later, the attackers returned to the environment using ScreenConnect. They used PowerShell to launch a command prompt process and then added a user account to the device using net.exe. The new user was then added to the local administrator group via net.exe.

Afterward, the attackers signed in using their newly created user account and began dropping and launching the ransomware payload. This account would also serve as a means of additional persistence beyond ScreenConnect and their other footholds in the environment to allow them to re-establish their presence, if needed. Ransomware adversaries are not above ransoming the same organization twice if access is not fully remediated.

Chrome.exe was used to navigate to a domain hosting the BlackCat payload. Notably, the folder structure included the organization name, indicating that this was a pre-staged payload specifically for the organization. Finally, the attackers launched the BlackCat payload on the device to encrypt its data.

Ransomware affiliates deploying BlackCat

Apart from the incidents discussed earlier, we’ve also observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat. Payload switching is typical for some RaaS affiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations, such adoption further adds to the challenge of detecting related threats.

Microsoft tracks one of these affiliate groups as DEV-0237. Also known as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022. Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.

DEV-0504 is another active affiliate group that we’ve seen switching to BlackCat for their ransomware attacks. Like many RaaS affiliate groups, the following TTPs might be observed in a DEV-0504 attack:

• Entry vector that can involve the affiliate remotely signing into devices with compromised credentials, such as into devices running software solutions that allow for remote work
• The attackers’ use of their access to conduct discovery on the domain
• Lateral movement that potentially uses the initial compromised account
• Credential theft with tools like Mimikatz and Rubeus

DEV-0504 typically exfiltrates data on devices they compromise from the organization using a malicious tool such as StealBit—often named “send.exe” or “sender.exe”. PsExec is then used to distribute the ransomware payload. The group has been observed delivering the following ransom families before their adoption of BlackCat beginning December 2021:

• BlackMatter
• Conti
• LockBit 2.0
• Revil
• Ryuk

Defending against BlackCat ransomware

Today’s ransomware attacks have become more impactful because of their growing industrialization through the RaaS affiliate model and the increasing trend of double extortion. The incidents we’ve observed related to the BlackCat ransomware leverage these two factors, making this threat durable against conventional security and defense approaches that only focus on detecting the ransomware payloads. Detecting threats like BlackCat, while good, is no longer enough as human-operated ransomware continues to grow, evolve, and adapt to the networks they’re deployed or the attackers they work for.

Instead, organizations must shift their defensive strategies to prevent the end-to-end attack chain. As noted above, while attackers’ entry points may vary, their TTPs remain largely the same. In addition, these types of attacks continue to take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Therefore, defenders should address these common paths and weaknesses by hardening their networks through various best practices such as access monitoring and proper patch management. We provide detailed steps on building these defensive strategies against ransomware in this blog.

In the BlackCat-related incidents we’ve observed, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers. Therefore, defenders should review their organization’s identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible. The financial impact, reputation damage, and other repercussions that stem from attacks involving ransomware like BlackCat are not worth forgoing downtime, service interruption, and other pain points related to applying security updates and implementing best practices.

Leveraging Microsoft 365 Defender’s comprehensive threat defense capabilities

Microsoft 365 Defender helps protect organizations from attacks that deliver the BlackCat ransomware and other similar threats by providing cross-domain visibility and coordinated threat defense. It uses multiple layers of dynamic protection technologies and correlates threat data from email, endpoints, identities, and cloud apps. Microsoft Defender for Endpoint detects tools like Mimikatz, the actual BlackCat payload, and subsequent attacker behavior. Threat and vulnerability management capabilities also help discover vulnerable or misconfigured devices across different platforms; such capabilities could help detect and block possible exploitation attempts on vulnerable devices, such as those running Exchange. Finally, advanced hunting lets defenders create custom detections to proactively surface this ransomware and other related threats.

Additional mitigations and recommendations

Defenders can also follow the following steps to reduce the impact of this ransomware:

Microsoft 365 Defender customers can also apply the additional mitigations below:

• Use advanced protection against ransomware.
• Turn on tamper protection in Microsoft Defender for Endpoint to prevent malicious changes to security settings. Enable network protection in Microsoft Defender for Endpoint and Microsoft 365 Defender to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Ensure Exchange servers have applied the mitigations referenced in the related Threat Analytics report.
• Turn on the following attack surface reduction rules to block or audit activity associated with this threat:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PSExec and WMI commands
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

For a full list of ransomware mitigations regardless of threat, refer to this article: Rapidly protect against ransomware and extortion.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

Microsoft 365 Defender Threat Intelligence Team

Appendix

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender for Endpoint EDR

Alerts with the following titles in the security center can indicate threat activity on your network:

• An active ‘BlackCat’ ransomware was detected
• ‘BlackCat’ ransomware was detected
• BlackCat ransomware

Hunting queries

Microsoft 365 Defender

To locate possible ransomware activity, run the following queries.

Suspicious process execution in PerfLogs path

Use this query to look for processes executing in PerfLogs—a common path used to place the ransomware payloads.

DeviceProcessEvents
| where InitiatingProcessFolderPath has "PerfLogs"
| where InitiatingProcessFileName matches regex "[a-z]{3}.exe"
| extend Length = strlen(InitiatingProcessFileName)
| where Length == 7

Suspicious registry modification of MaxMpxCt parameters

Use this query to look for suspicious running processes that modify registry settings to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology).

DeviceProcessEvents
| where ProcessCommandLine has_all("LanmanServer", "parameters", "MaxMpxCt", "65535")

Suspicious command line indicative of BlackCat ransom payload execution

Use these queries to look for instances of the BlackCat payload executing based on a required command argument for it to successfully encrypt ‘–access-token’.

DeviceProcessEvents
| where ProcessCommandLine has_all("--access-token", "-v") | extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments
| where CommandArguments matches regex "^[A-Fa-f0-9]{64}$"

DeviceProcessEvents
| where InitiatingProcessCommandLine has "--access-token"
| where ProcessCommandLine has "get uuid"

Suspected data exfiltration

Use this query to look for command lines that indicate data exfiltration and the indication that an attacker may attempt double extortion.

DeviceNetworkEvents
| where InitiatingProcessCommandLine has_all("copy", "--max-age", "--ignore-existing", "--multi-thread-streams", "--transfers") and InitiatingProcessCommandLine has_any("ftp", "ssh", "-q")

Spirits soared at the Microsoft Security Excellence Awards on June 5, 2022. And is it any wonder? The celebration marked the first time that Microsoft executives and Microsoft Intelligent Security Association (MISA) members had gathered in person in more than two years so it was a special night for many reasons!

Formerly known as the Microsoft Security 20/20 Awards, the Microsoft Security Excellence Awards recognizes MISA member success across security during the past 12 months. MISA is a coalition of Microsoft leaders and subject matter experts, independent software vendors (ISVs), and managed security service providers (MSSPs) working together to defend against increasing security threats.

Attendees donned their fashionably festive best and gathered at the brightly lit San Francisco Design Center for cocktails, dinner, networking, and awards recognition. They smiled as they caught up with folks they may not have seen in years—and some even made new connections.

The stars of the evening were all the MISA members that work tirelessly to ensure the security of our shared customers. Congratulations to all our award finalists and winners! After cocktails, conversation, and dinner, Microsoft executives Vasu Jakkal, Phil Montgomery, Andrew Conway, Alym Rayani, Irina Nechaeva, Desmond Forbes, Sue Bohn, Mandana Javaheri, Madhu Prasha, and Scott Woodgate handed out the awards. Vasu Jakkal, Corporate Vice President of Microsoft Security, praised the recipients for their achievements.

“I’m so honored to recognize this year’s award winners. MISA members regularly impress us with their shared vision of helping create a more secure world,” Vasu said. “They support this mission through their solutions and services, their dedication to innovation, and their dedication to customers. Security is a team sport, and we are so proud to defend together with our MISA community. Heartiest congratulations to all of this year’s winners.” 

Be fearless with comprehensive security

Microsoft and MISA members share a commitment to supporting customers in their efforts to be fearless. That means ensuring that they have the comprehensive security necessary to help them grow their enterprise securely to match their vision. When we talk about comprehensive security, we’re not referring merely to security coverage, though that’s important. We’re also talking about best-in-breed protection, built-in intelligence, and simplified management.

Being fearless when it comes to cybersecurity comes when companies:

• Gain confidence that their data and people are more protected—so they can limit nothing.
• Natively integrate individual layers of protection across clouds, platforms, endpoints, and devices.
• Get alerts from 24 trillion security signals analyzed every 24 hours.
• Reduce the risk of data breaches and compliance violations.

Of course, partners are key to giving customers the results that ease their security worries.

Our 2022 Microsoft Security Excellence Awards finalists

A Microsoft cross-functional group decided on this year’s 10 award categories, including 4 categories where MISA members could nominate themselves. We carefully selected these categories to celebrate all the unique ways that MISA members support customers and Microsoft security products. We received hundreds of award nominations and the same panel carefully read each and narrowed the award nominees to three for each category. Microsoft and MISA members then voted on our winners.

Security ISV of the Year

ISVs that are all-around powerhouses, show growth potential and have innovative security solutions that integrate with a MISA-qualifying security product.

Security MSSP of the Year

MSSPs that are all-around powerhouses with strong integration between Microsoft products and ongoing managed security services that drive the end-to-end Microsoft Security stack to our mutual customers.

Security Trailblazer

Partners that are outstanding leaders in accelerating customers’ efforts to mitigate cybersecurity threats and that have developed innovative solutions or services that leverage Microsoft Security products.

Compliance and Privacy Trailblazer

Partners that deliver innovative solutions or services and are distinguished leaders in driving holistic or end-to-end Microsoft compliance or privacy strategy with customers.

Identity Trailblazer

Partners that are leaders in the identity space and have driven identity-related initiatives and delivered innovative solutions or services with Microsoft Azure Active Directory.

Zero Trust Champion

Partners that are dedicated to supporting customers in their Zero Trust journey and that have demonstrated vital integrations with the Microsoft Zero Trust platform.

Security Software Innovator

ISVs that have developed innovative solutions with disruptive and transformative technology in collaboration with Microsoft that makes work easier for our mutual customers.

Security Services Innovator

MSSPs that are exceptional at educating the market on Internet of Things (IoT) and Operational Technology (OT) security-related initiatives and that deliver innovative and transformative security services to customers.

Security Customer Champion

Partners that go above and beyond to drive customer impact and that have a proven track record of customer obsession and success.

Security Changemaker

Individuals within partner organizations who have made a remarkable security contribution to the company or to the larger security community.

Excited for another year of MISA success

Congratulations again to all our finalists and winners! Your innovation and your commitment to helping customers be fearless impresses us every day. We can’t wait to see what exciting accomplishments our partners achieve over the next 12 months and hope to see you at next year’s Microsoft Security Excellence Awards!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

In 2021, workers everywhere reevaluated their professional and personal choices, leading to what became known as the Great Resignation. In 2022, a new trend that many are calling the Great Reshuffle has emerged, with 43 percent of the workforce saying they’re very likely to consider changing jobs or exiting their industry altogether in the coming year.¹

As our 2022 Work Trend Index, Great Expectations: Making Hybrid Work Work, revealed, employees have a new “worth it” equation and are voting with their feet.² As a result, employees are onboarding and offboarding more frequently. The constant flow of tasks, starting with applying for a job and navigating the first few days of employment, leaves much room for error, thus increasing stress for HR, IT, and each new employee.

Given that 73 percent of employees want to keep their work options flexible, more than three-quarters of Chief Human Resource Officers (CHROs) plan to preserve the newer hybrid work options available today and accommodate the flexibility that existing and prospective employees desire.³ Unfortunately, the complexity and cost of both onboarding and offboarding employees have increased in our new hybrid reality.

The 2022 Work Trend Index surveyed more than 31,000 people in 31 countries and found that 53 percent of people are likely to consider transitioning to hybrid work in the year ahead.

Workforce feedback and statistical studies reveal two challenges specific to credentialing:

1. The rising cost and frustration of employee onboarding.
2. Increased security risks of employee offboarding.

The rising costs and frustration of employee onboarding

The typical multistep process of the new hire onboarding journey became even more convoluted during the pandemic with the rise of both hybrid and fully remote work. As a result, managing the details of recruiting, interviewing, and hiring has become increasingly challenging, leading to a sharp rise in costs.

Organizations struggle with navigating the start of the employee journey for both in-person and remote workers in the most efficient and secure way possible. For example, the chart in Figure 1 summarizes the findings of a private study Microsoft conducted in 2021 to understand who’s involved in tasks associated with identity verification for new employees. Responses from 3,000 organizations show that HR and IT split these tasks almost evenly and that across the 14 industries surveyed, onboarding accounts for an astounding 14 to 31 percent of all ID verification spending.

In fact, 69 percent of employees are more likely to stay with a company if they experience great onboarding.⁴

Traditionally, HR teams have relied on physical documents—such as a driver’s license, birth certificate, or passport—and in-person communications to verify a new employee’s identity and credentials, a semi-manual process that can cause frustrating onboarding delays, flagging a potential concern given more remote, in-person, and hybrid options available in a competitive labor market. The modern workforce expects a more automated experience that’s also more secure. In fact, 82 percent of study participants wish there was a better way to perform verification.

Fortunately, recent advances in technology are making it possible to digitize identity information in a way that’s portable and privacy-respecting for the user, while helping businesses streamline their verification processes. This new technology, called verifiable credentials, is based on a decentralized identity approach and allows organizations to verify an individual’s credentials, such as employment or education. For the background check process, employers can confirm a new hire’s identity information digitally and within seconds from an authoritative source. The business can then issue an employee ID as a verifiable credential, which the employee can store in their digital wallet and use to access other resources that require employment confirmation, such as benefits enrollment or equipment purchases.

Although these modernization efforts must still align with government regulations that require physical inspection of original documents, they have the potential to significantly transform the employee’s onboarding experience and their first days on the job, making it easier for them to access the resources they need to be immediately productive in their new role.

Microsoft Entra Verified ID will help streamline the process of credential attestation, reducing frustration and delays that HR, IT, and new employees currently experience. The chart in Figure 2 illustrates a transformed onboarding journey, and how HR and IT manage both pre-onboarding (blue) and onboarding (green) to ensure the process runs smoothly for the employee.

As we all know, first impressions matter. By simplifying and expediting the onboarding experience, using verifiable credentials can help create a positive first impression that helps make employees feel good about joining an organization, rather than second-guessing their decision.

Increased risks of employee offboarding

When an employee leaves an organization, their access credentials—along with their access permissions—should be wiped clean to prevent valuable company information from walking out the door with them. Using modern identity governance tools such as verifiable credentials, IT can select one box to decommission a departing employee’s access to the organization’s digital assets. If HR tools are integrated with identity systems, then any changes HR makes in their systems automatically perpetuate to other IT systems, and vice versa.

The offboarding governance process may include revoking any employer-issued verifiable credentials used to grant access to organizational programs, such as employee discounts, or employee-only resources. Verifiable credentials also give employees a new level of control over their personal information. They can revoke permissions they’ve given their former employer to access verifiable credentials that share educational history, government-issued identity numbers, and other sensitive data. And with the introduction of Microsoft Entra Verified ID, it’s now possible to allow individuals, organizations, and devices to decide what information they share with whom, and to take it back if necessary.

The benefits of using verifiable credentials

According to the 2021 Employee Experience Survey Highlights, organizations that provide digitally transformed experiences are nearly three times more likely to report higher productivity than their industry peers, and 90 percent more likely to report lower annual turnover.⁵

Using verifiable credentials creates tangible benefits for HR and IT departments and the employees they support:

• Faster, easier, and less expensive processes. HR can start replacing some paper-based or in-person identity or credential verification processes to reduce onboarding time and get new hires productive sooner. IT can easily integrate verifiable credentials into existing systems without writing any custom code. 
• Compliance with ever-changing global privacy regulations. IT can implement decentralized identity solutions based on open standards that allow HR to verify an employee’s skills, certifications, education, and career history in a privacy-respecting manner.
• A better employee experience that strengthens recruiting and retention. Today’s employees expect easy, convenient, and contactless digital experiences that protect their privacy. Verifiable credentials provide a secure way for individuals to share their personal information with their employers and revoke access when they leave.

Avanade, a leading professional services and technology provider, is using Microsoft Azure Active Directory (Azure AD) verified ID to streamline credentialing processes and facilitate collaboration among employees, vendors, and clients.

Navigating the path ahead

The Great Reshuffle is the living, evolving proof that organizations need to pay closer attention to the employee experience. HR and IT business leaders must therefore respond to employee expectations for flexibility, safety, security, and support for their overall wellbeing. This response must start with a smoother onboarding process, in which verifiable credentials can significantly simplify and streamline.

Learn more about how Microsoft and verified ID can help your organization navigate the Great Reshuffle.

Read more information on the solution and open standards initiative with decentralized identities.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹2022 Work Trend Index: Annual Report, Microsoft. March 16, 2022.

²Great Expectations: Making Hybrid Work Work, Work Trend Index 2022, Microsoft.

³The Next Great Disruption Is Hybrid Work – Are We Ready?, Work Trend Index 2021, Microsoft. March 22, 2021.

⁴Don’t Underestimate the importance of good onboarding, SHRM. 2017.

⁵2021 Employee Experience Survey, WTW. July 20, 2021.

Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.

That depth of signal intelligence gathered from various domains—identity, email, data, and cloud—provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated “cut” from their tool’s success.

The cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.

Within this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called human-operated ransomware, which remains one of the most impactful threats to organizations. We coined the industry term “human-operated ransomware” to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target’s network.

Unlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries—for example, a security product that isn‘t configured to prevent tampering or a service that’s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them—with no guarantee they’ll leave their target environment once they’ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren’t successfully evicted.

Ransomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.

All human-operated ransomware campaigns—all human-operated attacks in general, for that matter—share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment. 

In this blog, we detail several of the ransomware ecosystems  using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here’s a quick table of contents:

1. How RaaS redefines our understanding of ransomware incidents
   • The RaaS affiliate model explained
   • Access for sale and mercurial targeting
2. “Human-operated” means human decisions
   • Exfiltration and double extortion
   • Persistent and sneaky access methods
3. Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks
4. Defending against ransomware: Moving beyond protection by detection

How RaaS redefines our understanding of ransomware incidents

With ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the “human-operated” aspect of these attacks—attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.

In the past, we’ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.

Reporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.

We know, for example, that the underlying techniques used in human-operated ransomware campaigns haven’t changed very much over the years—attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there’s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it’s only possible on the most critical assets and segments of the network. 

Without the ability to steal access to highly privileged accounts, attackers can’t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.

In the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like Microsoft 365 Defender, whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.

The RaaS affiliate model explained

The cybercriminal economy—a connected ecosystem of many players with different techniques, goals, and skillsets—is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker’s skills.

RaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services

RaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads—further muddying the waters when it comes to tracking the criminals behind these actions.

Access for sale and mercurial targeting

A component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a “load”. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them en masse to “bank” for later profit. Some advertisements for the sale of initial access specifically cite that a system isn’t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.

Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn’t manifest itself as specifically attacking the target’s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.

In some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a “jump server” to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren’t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.

“Human-operated” means human decisions

Microsoft coined the term “human-operated ransomware” to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks—including objectives and pre-ransom activity—evolve depending on the environment and the unique opportunities identified by the attackers.

These attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.

After the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator’s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker’s next steps.

If there’s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker.  

This human decision-making early in the reconnaissance and intrusion stages means that even if a target’s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks “in production” from an undetected location in their target’s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.

Exfiltration and double extortion

Ransomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and “double extortion,” which refers to attackers threatening to leak data if a ransom hasn’t been paid, has also become a common tactic among many RaaS affiliate programs—many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.

This trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don’t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below.  

Persistent and sneaky access methods

Paying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers’ demands doesn’t guarantee that attackers ever “pack their bags” and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren’t successfully evicted.

The handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.

Some of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:

• AnyDesk
• Atera Remote Management
• ngrok.io
• Remote Manipulator System
• Splashtop
• TeamViewer

Another popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol’s security, and add new users to the Remote Desktop Users group.

The time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can’t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can’t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.

The human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.

Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks

For organizations to successfully respond to evict an active attacker, it’s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it’s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.

In the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:

Microsoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled “Ransomware-linked emerging threat activity group detected”. We also add the note “Ongoing hands-on-keyboard attack” to alerts that indicate a human attacker is in the network. When these alerts are raised, it’s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.

A note on threat actor naming: as part of Microsoft’s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a “development group”. We use a naming structure with a prefix of “DEV” to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use “contractors,” who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.

DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today

A vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. 

DEV-0193’s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.

A subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been implicated in attacks deploying novel techniques, including exploitation of CVE-2021-40444. 

The leaked chat files from a group publicly labeled as the “Conti Group” in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload—even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the “Conti Group,” even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates—and the one responsible for developing the “Conti Manual” leaked in August 2021—is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.

ELBRUS: (Un)arrested development

ELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.

In 2018, this activity group made headlines when three of its members were arrested. In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.

ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called “Combi Security” and “Bastion Security” to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.

In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn’t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.

ELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.

While they aren’t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server.  

DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs

An excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the “REvil gang” or “BlackCat ransomware group”. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment.  

DEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren’t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older “fully owned” ransomware payloads like Phobos, which they can buy when a RaaS isn’t available, or they don’t want to pay the fees associated with RaaS programs.

DEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren’t protected with tamper protection.

DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.

DEV-0237: Prolific collaborator

Like DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.

After the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to public discourse around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn’t want Hive’s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.

Beyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237’s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.

Like all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload xxx.exe, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.

DEV-0206 and DEV-0243: An “evil” partnership

Malvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.

Once successfully executed, the JavaScript framework, also referred to SocGholish, acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as “EvilCorp,”  The custom Cobalt Strike loaders are similar to those seen in publicly documented Blister malware’s inner payloads. In DEV-0243’s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.

Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the “EvilCorp” activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status.

DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate

Differing from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 is confirmed to be a China-based activity group.

DEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j 2. Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.

Once inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the wmiexec.py module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.

Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the Log4j 2 CVE-2021-44228 vulnerability.

Like many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay.  In a notable shift—possibly related to victim payment issues—DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.

DEV-0537: From extortion to destruction

An example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 in this blog. DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.

Once initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn’t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. 

DEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim’s data and resources.

Defending against ransomware: Moving beyond protection by detection

A durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. 

Attackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven’t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.

Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.

Building credential hygiene

More than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.

Credential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn’t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.

Too often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven’t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.

Here are some steps organizations can take to build credential hygiene:

• Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can’t be used to move laterally. Run services as Network Service when accessing other resources.
• Use tools like LUA Buglight to determine the privileges that applications really need.
• Look for events with EventID 4624 where the logon type is 2, 4, 5, or 10 and the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn’t be exposed on member servers or workstations.
• Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.
• Randomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS) to prevent lateral movement using local accounts with shared passwords.
• Use a cloud-based identity security solution that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities

Auditing credential exposure

Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. BloodHound is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use this detection guidance to watch for malicious use.

Microsoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.

Prioritizing deployment of Active Directory updates

Security patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.

Cloud hardening

As attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:

Cloud identity hardening

Multifactor authentication (MFA)

• Enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.
• Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
• Identify and secure workload identities to secure accounts where traditional MFA enforcement does not apply.
• Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).
• For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their computers. Refer to this article for an example.
• Disable legacy authentication.

Cloud admins

Addressing security blind spots

In almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn’t protected by  antivirus or EDR solutions. It’s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.

Organizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn’t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.

For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.
• Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
• Protect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.

Reducing the attack surface

Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:

• Common entry vectors:
• Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):

In addition, Microsoft has changed the default behavior of Office applications to block macros in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.

Hardening internet-facing assets and understanding your perimeter

Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as RiskIQ, can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:

• Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
• Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.

Ransomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.

Some observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:

Ransomware attackers also rapidly adopt new vulnerabilities. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and vulnerability management capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.

Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks

The multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. Microsoft 365 Defender is designed to make it easy for organizations to apply many of these security controls.

Microsoft 365 Defender’s industry-leading visibility and detection capabilities, demonstrated in the recent MITRE Engenuity ATT&CK® Evaluations, automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

In line with the recently announced expansion into a new service category called Microsoft Security Experts, we’re introducing the availability of Microsoft Defender Experts for Hunting for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.

Join our research team at the Microsoft Security Summit digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&A. Register today.

More threats—not enough defenders

The security landscape has become increasingly challenging and complex for our customers. Threats have grown at an alarming rate over the last year, and cybercrime is now expected to cost the world USD10.5 trillion annually by 2025, up from USD3 trillion a decade ago and USD6 trillion in 2021.¹

As attacks increase in scale, so must our defenses. Last year, Microsoft Security blocked over 9.6 billion malware threats and more than 35.7 billion phishing and other malicious emails. Microsoft Security is actively tracking more than 35 ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities, and our technology blocks more than 900 brute force password theft attempts every second.

But technology alone is not enough to defend against cybercrime. Technology is critical, but it’s the combination of leading technologies, comprehensive threat intelligence, and highly skilled people that makes for a truly effective security posture. The challenge is that in this critical moment when cybersecurity has reached an inflection point, our nation is facing a cybersecurity talent shortage with nearly one in three—or 2.5 million—security jobs vacant in the United States,² pushing the time of detection for a breach to an alarming 287 days.³ And, even when talent is available, access to highly skilled expertise remains a challenge.

Our expertise is now your expertise

It’s getting harder every day for organizations to build and maintain a full security team, let alone one with the ever-expanding skillset required to meet the range of today’s security demands.

That’s why I’m thrilled to announce that Microsoft is expanding our existing service capabilities under a new service category called Microsoft Security Experts. Security Experts combines expert-trained technology with human-led services to help organizations achieve more secure, compliant, and productive outcomes.

Our vision is to deliver this new category of services across security, compliance, identity, management, and privacy. The first step on that journey is offering new and expanded services for security.

Video description: Microsoft Security Experts is a line of managed security solutions that combines human-led services with expert-trained technology to help organizations achieve better security outcomes. In this brief overview video, we highlight how this new suite of services delivers solutions across Microsoft’s security, compliance, identity, management, and privacy product categories.

Microsoft is uniquely positioned to help our customers and their partners meet today’s security challenges. We secure devices, identities, apps, and clouds—the fundamental fabric of our customers’ lives—with the full scale of our comprehensive multicloud, multiplatform solutions. Plus, we understand today’s security challenges because we live this fight ourselves every single day.

Now, our world-class security expertise is your security expertise.

New managed services from Microsoft Security

With input from our incredible partner ecosystem, we’ve designed three new managed services that can help you scale your team of experts to fit your needs—without the challenges of hiring and training them.

Microsoft Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity. Our experts will investigate anything they find and then hand off the contextual alert information and remediation instructions so you can quickly respond. With Experts on Demand, you can consult a Microsoft expert about a specific incident, nation-state actor, or attack vector with the simple click of a button. You will also get specific recommendations to help you understand and improve your security posture. Defender Experts for Hunting will be generally available in summer 2022, and you can request to be part of the preview now.

“Defender Experts for Hunting is like the tip of an iceberg. It is supported by all of the Microsoft applications, technologies, and cloud services overlaid with security tools that connect the entire system together, then powered by machine learning.”

—Igor Tsyganskiy, Chief Technology Officer, Bridgewater Associates

Video description: Bridgewater Associates goes all-in on Microsoft Defender Experts, heralding a new age in managed security services.

Microsoft Defender Experts for XDR is for customers who need to extend the capacity of their security operations center. Defender Experts for XDR is a managed extended detection and response (XDR) service that extends beyond endpoints to provide detection and response across Microsoft 365 Defender, investigating alerts and using automation and human expertise to respond to incidents alongside your team. You stay in control and reduce costs, excess noise, and manual processes. Defender Experts for XDR will move into preview in fall 2022.

“Our engineers and security team are very pleased with results and learning they get from the Defender Experts for Hunting service. Our clients are happy that we have such a robust service in place, and our management team is happy with its high return on investment and our increased security posture.”

—Chad Ergun, Chief Information Officer, DGS Law

Video description: DGS Law raises the security bar and levels the playing field with Microsoft Defender Experts.

Large enterprises looking for more comprehensive, high-touch managed services from Microsoft experts will benefit from Microsoft Security Services for Enterprise. This comprehensive, expert-led service combines proactive threat hunting and managed XDR, leveraging Microsoft’s complete security information and event management (SIEM) and XDR stack to protect all cloud environments and all platforms. Dedicated Microsoft security experts manage onboarding, daily interactions, practice modernization, and incident response for you. Microsoft Security Services for Enterprise is sold through a custom statement of work and is available today. Interested enterprise customers should contact their Account Executive to learn more.

Existing security services

Through our Microsoft Industry Solutions group, we currently offer a broad set of services for incident response and advisory. These service offerings, designed to support customers in times of crisis and to help them modernize their security practices, are delivered by Microsoft’s global team of professional services experts, and will become part of the Microsoft Security Experts portfolio. Watch the mechanics video to learn more.

Microsoft Security Services for Incident Response supports customers before, during, and after a breach. Incident response and recovery experts will help you remove a bad actor from your environment, remediate your defenses after a breach, and build resilience against future attacks. Our global team of experts leverages Microsoft’s strategic partnerships with security organizations and governments around the world and with internal Microsoft product groups to respond to incidents and help customers secure their most sensitive, critical environments. ​

Microsoft Security Services for Modernization is for customers that want to take advantage of Microsoft best practices and know-how as they embrace new modern security capabilities and embark on their security transformation. It provides consulting services that help customers at any stage of their security journey modernize their security posture and embrace a Zero Trust approach. Our modernization services utilize extensive cybersecurity knowledge and industry expertise gathered over 35 years to keep your business secure.

Security for all, together with Microsoft partners

One of our core principles at Microsoft Security is security for all. Meeting the needs of all kinds of organizations means offering choice—not only in the types of services customers buy but in who they buy them from. At the end of the day, we know that a single provider can’t meet the unique needs of every organization.

That’s why Microsoft is fully committed to working with an ecosystem of partners and technologies that provide customers the flexibility to choose what works for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. Founded in 2018 with 26 charter members, our Microsoft Intelligent Security Association (MISA) has more than 300 members that include more than 100 service partners.

“This collaboration with Microsoft highlights their commitment to the partner community. The transparency and visibility provided by Microsoft, coupled with the feedback given by Critical Start during the design phase, allowed us to focus on driving value and providing the best outcome for customers.”

—Randy Watkins, CTO, Critical Start

As an industry-leading security company with more than 785,000 global customers, we believe that Microsoft Security service partners offer an important path for customers to get the services they need, and we rely on these partners to help us scale.

Our goal is simple: we want to empower customers, not only by offering world-class security products but also by providing access to critical human expertise when they need it from the best cybersecurity experts in the world. As some of the best defenders in the industry, our partners are essential for this vision.

An invitation to our managed XDR partners

Gartner® predicts that 50 percent of organizations will be using managed detection and response (MDR) services to contain threats by 2025.⁴ We want to invite all our managed detection and response partners to expand their offerings to help meet the critical customer need for managed detection and response services that go beyond the endpoint.

To help enable you to meet this growing demand, we will be making an incremental multimillion-dollar financial investment this coming year in our managed XDR partner community in three key areas. These new investments will expand the way we integrate with our managed XDR partners and create exciting new go-to-market opportunities. Microsoft is committed to showcasing verified partners and their managed XDR solutions on our marketing websites, through our commerce marketplaces, and in direct sales conversations with customers. We will do that in a few ways:

1. A new managed XDR partner designation within MISA will unlock an expanded set of co-marketing benefits to ensure partner offerings are front and center in each customer conversation.
2. We are launching a new co-sell benefit for managed XDR partners. This worldwide investment represents millions of dollars that can help you build your business around Microsoft’s advanced security products.
3. Based on input from our design partners, our engineering teams are building new APIs to help ensure partners have access to Microsoft threat intelligence.

“We are thrilled to have been an initial design partner for Microsoft Security Experts. The future of managed services will rely on the unique combination of threat intelligence, product leadership, and human expertise aligned under Microsoft Security Experts. We are looking forward to providing security services to our mutual customers tailored to their needs through deep integration with Microsoft threat intelligence through APIs, co-sell, and marketing opportunities.”

—Milan Patel, Global Head of MSS, BlueVoyant

More information on the new partner investments will be available during Microsoft Inspire, our worldwide partner conference taking place in July 2022. There, we’ll share specifics on how to integrate with the new APIs and take advantage of the expanded program benefits and go-to-market (GTM) opportunities. You can also find more information on our Microsoft Security Experts Partner page.

“Our partnership with Microsoft to create this new category of services will enable organizations to get ahead of cyberthreats, deepen their security resiliency and minimize the impact of incidents. At a time when the need for detection and response capabilities has never been greater, our collaboration will make a genuine human impact for all.”
—Rajiv Sagar, Cybersecurity Lead, Avanade

Looking to the future

Wherever you are in your security journey, Microsoft Security Experts will meet you there, whether you need additional security expertise, help with specific technologies, or guidance in navigating new security challenges. Leveraging industry-leading technology, the best defenders from Microsoft and our partner community, and the most comprehensive threat intelligence in the world, we can build a safer world for everyone, together. 

To learn more, join me and Satya at Microsoft Security Summit on May 12, 2022, or come see us in a few weeks at RSA—spoiler alert: cool things will be happening at the Microsoft Security Hub!

Partners, please join us at Microsoft Inspire, where we will share specifics on how to integrate with the new APIs and take advantage of the expanded program benefits and go-to-market (GTM) opportunities. You can also find more information on our Microsoft Security Experts Partner page.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Cybercrime To Cost The World $10.5 Trillion Annually By 2025, Steve Morgan, Cybercrime Magazine. November 13, 2020.

²America faces a cybersecurity skills crisis: Microsoft launches national campaign to help community colleges expand the cybersecurity workforce, Brad Smith, Official Microsoft Blog, Microsoft. October 28, 2021.

³Cost of a Data Breach Report 2021, IBM.

⁴Gartner, Market Guide for Managed Detection and Response Services, Pete Shoard, Craig Lawson, Mitchell Schneider, John Collins, Mark Wah, Andrew Davies, 25 October 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Did you know that May 5, 2022, is World Password Day?¹ Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every second—nearly doubling in frequency over the past 12 months.²

But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.  

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

1. Download and install Microsoft Authenticator (linked to your personal Microsoft account).
2. Sign in to your Microsoft account.
3. Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
4. Select Turn on.
5. Approve the notification from Authenticator.

Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.

Strengthen security with multifactor authentication

One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.³ For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

Some basics to remember—make sure your password is:

• At least 12 characters long.
• A combination of uppercase and lowercase letters, numbers, and symbols.
• Not a word that can be found in a dictionary, or the name of a person, product, or organization.
• Completely different from your previous passwords.
• Changed immediately if you suspect it may have been compromised.

Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:

• Only share personal information in real-time—in person or by phone. (Be careful on social media.)
• Be skeptical of messages with links, especially those asking for personal information.
• Be on guard against messages with attached files, even from people or organizations you trust.
• Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
• Ensure all the apps on your device are legitimate (only from your device’s official app store).
• Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
• Use Windows 11 and turn on Tamper Protection to protect your security settings.

Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)

Passwordless authentication is becoming commonplace

As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

1. Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
2. With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.

Helping you stay secure year-round

Read more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the complete guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyberthreats, and lots more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹World Password Day, National Day Calendar.

²According to Microsoft Azure Active Directory (Azure AD) authentication log data. 2022.

³America’s Password Habits 2021, Security.org. October 1, 2021.

May 5, 2022, is World Password Day, a day we all use to create awareness around password security. At Microsoft, we choose to celebrate replacing passwords with better and more secure ways to sign in. I can’t think of a better person at Microsoft to represent this journey than Libby Brown, a senior product manager leading our efforts to keep Microsoft Azure Active Directory (Azure AD) customers more secure with passwordless solutions.

Here’s what I love about Libby’s story: her career has followed a winding path that ended up being the best possible path to the role she has today. Early on, she switched from engineering to public policy and then worked in publishing, product marketing, training, release management, and now product management. She’s spent time at a small publishing firm, at a startup, and at Microsoft. She pushed her way past every career hiccup, and as she moved forward, she gained experience that would later be relevant to her work in ways she had never anticipated.

Today, Libby is in a technical role, calling on everything she’s learned throughout her education and career to build usable experiences that make technology easier for businesses of all sizes. Her focus on usability is crucial; we’ve learned the hard way that unless security experiences are easy for IT administrators to deploy and manage, and easy for users to adopt, people will be reluctant to use them. Our goal is to make passwordless authentication even easier to use than passwords, which are hard to remember and far less secure. With her varied background working on an array of products for an array of different audiences, Libby is the perfect person to lead this charge.

Libby’s interview with Eric Sachs has been edited for clarity and length. We’ve included two video snippets of the interview recording so you can learn more about her unique career journey and perspectives.

Eric: I have three young daughters myself, and none of them has gotten interested in computers yet. How did you first get interested in them growing up?

Libby: I was pretty lucky. My older brother was interested in computers, so from the very earliest days, we had a Timex Sinclair computer—with a little chiclet keyboard and programs that saved to a cassette tape—and also an early Apple. I had the opportunity to attend Thomas Jefferson High School for Science and Technology in Northern Virginia which had just graduated its first class. Computers were just something in the background, from an early age, that I used. I recognize now, though, that I was pretty lucky to have that.

Eric: What did you decide to study in college after you had that opportunity in high school?

Libby: In high school, you take those career “What do you want to do?” questionnaires. My answers always led to engineering, so I attended Duke University to study mechanical engineering. It was an interesting time, but I realized I just did not care if you took a piece of metal and bent it where it would break. It wasn’t the kind of problem-solving that I liked. So, I looked around, took a couple of public policy courses—which turned out to be a different type of systemic problem solving—and ended up majoring in that.

Eric: You eventually got back to computers, so what was the next time you encountered technology?

Libby: After Duke, I returned to Washington, D.C., to get involved in public policy. My first job was for a small publishing company called Congressional Quarterly. They produced daily, weekly, monthly, and annual publications on what Congress was doing. My first job involved researching legislation and entering it into a database. With the year 2000, we needed to upgrade those databases, including how researchers entered the data and how customers pulled the data and were presented with it. I started doing things like designing what that screen would look like, what the website would look like, and designing the queries to pull the data for legislative reports. Little did I know at the time, that’s what I would be doing 20 some years later, just with different challenges, but still focusing on that foundational user experience, running those systems, and designing great opportunities and spaces for users.

Once we made it past the year 2000, we launched the Congressional Quarterly Website. It won a bunch of awards that year for being one of the newest, best magazine tools online. But also keep in mind, this was in the heyday of Web 2.0. Red Herring magazine was 300 pages thick, with information on all these great Web 2.0 companies and the future of e-commerce. Congressional Quarterly was a pretty small business. I realized I needed more scope and scale to succeed in this new world, so I decided to get my MBA. 

I chose Vanderbilt University because they had leading researchers in Web 2.0 e-commerce. I studied both information technology and strategy. This led me to think about how businesses take advantage of technology and use it to gain competitive advantage, which became the underlying thread to the rest of my tech career.

Video description: Libby describes her first role at Microsoft.

Eric: So, after business school, you came into Microsoft initially as a Product Manager for one of the company’s publishing arms, left for a startup, and then returned. What was different, and what worked well for you, when you came back?

Libby: I came back for a fun startup-like team within Microsoft called Office Live Small Business. We were working to give small businesses a free custom domain name with Hotmail mailboxes on the backend and a Microsoft SharePoint site they could easily customize to market to their customers. While our product was successful, other technologies were coming online, including Microsoft Exchange and SharePoint moving to the cloud, so we needed to reconcile that. Since we had experience with small businesses and users, our team pivoted to building the user and admin portals for what became Microsoft Office 365. Being part of that transition was a fun time.

Eric: Well, you had quite a journey to get there, but now you’ve been a product manager for a while at Microsoft. How did you end up in the identity team then, dealing with passwords?

Libby: Sometimes I’m not quite sure how I got here myself, but through a series of reorganizations, I found myself doing a weird set of roles around financial compliance for our commerce platform. I learned all about Sarbanes-Oxley compliance, payment card industry (PCI), and other interesting spaces, but it was not an area that I enjoyed. So, I reached out to my wide corporate network. As a product manager at Microsoft, you want to keep those connections active, and I was doing my, “Hey, what’s happening in your space of the company?” interviews with a bunch of friends and former coworkers. One of them happened to work in identity as the program manager lead for the Microsoft Authenticator app, and we realized that I had a lot of applicable skills. I joined that team in 2016.

Eric: I have to admit, I’m a little jealous because your current project’s very focused on passwordless authentication. What about your unique background do you think helps you with this particular challenge?

Libby: We wanted to make the experience of two-step verification easier for Microsoft consumers. As you know, not many people were comfortable with two-step verification, especially in 2016. They didn’t quite understand a password plus something else, whether that something else was an SMS code or a push notification to your phone. Then we said, well, if we can do password plus “push,” why can’t we just do the push and tie it to the device? We’d create a super easy experience of entering your username and responding to a notification on your phone. That got a lot of attention and traction.

And we were also working to build the same type of experience for work and school accounts in Azure AD. Given my background, I asked questions from an organizational standpoint about keeping our customers more secure. How can they make sure that their business is doing what it needs to do—without having to worry about those attacks? Creating a great user experience so employees can easily make that strong authentication gesture to be safe really helps the overall security posture of the company itself.

Video description: Libby explains how usability enhances security.

Eric: It’s pretty exciting. In the passwordless area, the FIDO Alliance recently published a white paper about passkeys. Part of it is about using a mobile phone to help sign in to other devices like a Microsoft Windows desktop. Can you explain a bit more about why that is so important? Windows devices and mobile phones have built-in biometrics—why can’t that just solve all problems and make all passwords go away?

Libby: Passwords have been in our systems now since the 1960s. It’s going to take us a little while to kill them off. But multidevice credentials, which some refer to as passkeys, really are that next thing that will enable us to do that. Most of us have a mobile device in our hands for the better part of the day, and we’re working to take advantage of the native biometrics on that device, whether it’s touch ID or face ID, or the Windows Hello gesture that you might use on your PC. We’re trying to use the native gesture on that device that everyone is familiar with, backed by this modern use of public-key cryptography to keep you secure.

Then I can use my phone as a passkey to sign in on my phone or to another device such as my Windows PC, or the Mac at my mom’s house, and it’s just seamless and ubiquitous. And when you think about the companies that have been involved—whether that’s Microsoft, Apple, Google—we’ve been in this from the very beginning and now we’re looking at more than six billion devices being able to use these standards-based multidevice credentials. When you look at those numbers and that scope and scale, it’s just pretty mind-boggling how we can transform in the next few years.

Eric: Cool! All of us who use passwords, which is just about everybody, want to thank you for taking on the password challenge and it certainly seems like your very unique career path makes you uniquely qualified for this challenge. I can’t wait to see where you lead us next on the passwordless journey.

Libby: Thanks, Eric.

Learn more

Help protect your organization with Microsoft’s complete identity and access management solution.

Learn more about Azure AD.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.